Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tr00g33
New Contributor

One-armed sniffer, only broadcast traffic

Hello!

 

I`am testing one-armed sniffer functionality on Fortigate 60E, and I have problem that i see only some broadcast traffic no unicast traffic.

 

Cisco 3750 configuration:

monitor session 1 source vlan 24 monitor session 1 destination interface Fa2/0/11 - 12

 

Fortigate cofiguration:

config system interface edit "internal7" set vdom "root" set ips-sniffer-mode enable set type physical set alias "Sniffer" set device-identification enable set snmp-index 7 next end

 

On Fa2/0/11 I connect Fortigate on Fa2/0/12 I conenct PC running wireshark, on wireshark I can see all the traffic, ICMP, HTTP, etc, on fortigate only broadcast traffic:

example command diagnose sniffer packet  internal7:

 

.348708 arp who-has 192.168.24.64 tell 192.168.24.1 329.348709 arp who-has 192.168.24.64 tell 192.168.24.1 329.842556 0.0.0.0.5678 -> 255.255.255.255.5678: udp 117 329.842605 0.0.0.0.5678 -> 255.255.255.255.5678: udp 117 329.842763 llc unnumbered, ui, flags [command], length 81 329.843403 192.168.24.34.57378 -> 255.255.255.255.5678: udp 115 329.843438 192.168.24.34.57378 -> 255.255.255.255.5678: udp 115 329.843602 llc unnumbered, ui, flags [command], length 96 330.107867 arp who-has 192.168.24.30 tell 192.168.24.31 330.107867 arp who-has 192.168.24.30 tell 192.168.24.31 330.348694 arp who-has 192.168.24.64 tell 192.168.24.1 330.348697 arp who-has 192.168.24.64 tell 192.168.24.1 331.107879 arp who-has 192.168.24.30 tell 192.168.24.31 331.107927 arp who-has 192.168.24.30 tell 192.168.24.31 331.348814 arp who-has 192.168.24.64 tell 192.168.24.1 331.348833 arp who-has 192.168.24.64 tell 192.168.24.1 331.652233 arp who-has 192.168.24.41 tell 192.168.24.1 331.652249 arp who-has 192.168.24.41 tell 192.168.24.1

 

On wireshark i can see all the traffic. Does anybody have any idea, what I`ąm missing, it reminds me of similar situation, when I was once sniffing the traffic with vmware virtual machine and the network card was not in promiscuous mode,..

Any help would be much appreciated.

 

 

 

 

 

3 REPLIES 3
bascheew
New Contributor III

I'm having the same problem -- on Wireshark I see much more than Fortigate sniffer packet is showing.  Did you find a resolution?

tr00g33

Hello,

 

No did not find a solution, abandoned the design, and put the fw in transparent mode to monitor traffic if anybody find the solution i will be glad to hear it. 

When i have time I will open case at Fortinet to see if they can help me, because this function is great for some cases.

bascheew
New Contributor III

I want to report that I upgraded to FortiOS 6.0.x and it's now working as expected.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors